Drift revealed that the April 1, 2026 attack, which resulted in the theft of $285 million, was the culmination of a months-long, targeted, well-planned social engineering operation by the Democratic People’s Republic of Korea (DPRK) that began in the fall of 2025.
The Solana-based decentralized exchange described the attack as a “six-month effort” and attributed it with moderate confidence to a North Korean state-sponsored hacking group called UNC4736, which is also tracked under the codenames AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces.
This threat actor has a history of targeting the cryptocurrency sector for financial theft since at least 2018. It is best known for the X_TRADER/3CX supply chain breach in 2023 and the $53 million hack of decentralized finance (DeFi) platform Radiant Capital in October 2024.
“The foundations of this connection are both on-chain (the flow of funds used to stage and test this operation trace back to the Radiant actors) and operationally (the personas deployed throughout this operation have identifiable overlap with known North Korea-related activity),” Drift said in an analysis on Sunday.
In an assessment published in late January 2026, cybersecurity firm CrowdStrike described Golden Chollima as an offshoot of Labyrinth Chollima that targets small fintech companies in the United States, Canada, South Korea, India, and Western Europe, primarily for crypto theft.
“The attackers typically commit small-value thefts with a more consistent operational tempo, suggesting they are responsible for ensuring basic revenue generation for the North Korean regime,” CrowdStrike said. “Despite improving trade relations with Russia, North Korea needs additional revenues to fund ambitious military programs such as building new destroyers, building nuclear submarines, and launching additional reconnaissance satellites.”
In at least one incident observed in late 2024, UNC4736 delivered a malicious Python package to a European fintech company through a fraudulent recruitment scheme. Once gaining access, the threat actor moved laterally into the victim’s cloud environment to gain access to the IAM configuration and associated cloud resources, ultimately diverting cryptocurrency assets to adversary-controlled wallets.
How is the drift attack thought to have developed?
Drift, which is working with law enforcement and forensic partners to piece together the sequence of events that led to the hack, said it was the target of a “structured intelligence operation” that required months of planning.
Starting in the fall of 2025, individuals posing as quantitative trading companies approached Drift contributors at major cryptocurrency conferences and international crypto conferences under the pretext of protocol integration. It subsequently became clear that this was a deliberate approach, with members of this trading group approaching and building relationships with specific Drift contributors at various major industry conferences held in several countries over a six-month period.
“The person who appeared in person was not a North Korean national,” Drift explained. “North Korean threat actors operating at this level are known to deploy third-party intermediaries to establish face-to-face relationships.”
“They were technically fluent, had verifiable professional backgrounds, and were familiar with how Drift operates. Their first meeting established a Telegram group, followed by months of substantive conversations about trading strategies and potential vault integrations. These interactions are typical of how trading firms interact with and participate in Drift.”
Then, sometime between December 2025 and January 2026, the group embarked on Drift’s ecosystem vault. In this step, we had to fill out a form with the details of our strategy. As part of this process, each individual is said to have engaged multiple contributors, asked “detailed and informed product questions,” and at the same time deposited more than $1 million of their own funds.
This is a calculated move designed to build a functioning operational presence within the Drift ecosystem, and Drift said integration conversations with contributors will continue through February and March 2026. This included sharing links to projects, tools, and applications that the company claims to be developing.
Following the April 1st hack, the possibility that interactions with this trading group served as an initial infection vector became important. However, as Drift revealed, their Telegram chats and malicious software had been deleted around the time the attack took place.
It is believed that there are two main attack vectors.
One contributor may have been compromised after cloning a group-shared code repository as part of an effort to deploy the Vault front end. A second poster was persuaded to download the wallet product via Apple’s TestFlight in order to beta test the app.
Repository-based intrusion vectors have been assessed to involve malicious Microsoft Visual Studio Code (VS Code) projects that weaponize the “tasks.json” file and use the “runOn:folderOpen” option to automatically trigger execution of malicious code in the project within the IDE.
It is worth noting that this technique has been employed by North Korean threat actors associated with the Contagious Interview campaign since December 2025, leading Microsoft to introduce new security controls in VS Code versions 1.109 and 1.110 to prevent unintended tasks from being performed when opening a workspace.
“Our investigation has so far revealed that the profiles used in this third-party targeted operation included fully constructed identities, including employment history, official qualifications, and professional networks,” Drift said. “The people Drift contributors met in person appear to have spent months building personal and professional profiles that withstood scrutiny in their business and business relationships.”
North Korea’s fragmented malware ecosystem
The disclosure comes after DomainTools Investigations (DTI) revealed that the DPRK’s cyber apparatus has evolved into a “deliberately fragmented” malware ecosystem that is mission-driven, operationally resilient, and resistant to attribution efforts. The change is believed to be a response to law enforcement actions and disclosures about North Korea’s hacking activities.
“Malware development and operations are becoming increasingly fragmented, both technically and organizationally, to ensure that infections in one mission area do not spread throughout the program,” DTI said. “Importantly, this model maximizes ambiguity. North Korea complicates attribution and slows defender decision-making by separating tools, infrastructure, and operational patterns along mission lines.”
To this end, DomainTools noted that North Korea’s espionage-oriented malware tracking is primarily linked to Kimsky, while the Lazarus Group has transformed into a “nucleus” for sanctions evasion, spearheading efforts to generate illicit revenue for the regime. The third track revolves around the deployment of ransomware and wiper malware for strategic signaling and drawing attention to its capabilities. This destructive branch is associated with Andariel.
Social engineering behind infected interviews and IT worker fraud
Social engineering and deception continue to be the primary catalysts for many intrusions attributed to North Korean threat actors. This includes the recent supply chain breach of Axios, a very popular npm package, as well as ongoing campaigns such as infected interviewing and IT worker fraud.
Contagious Interview is the other name assigned to a long-running threat in which attackers approach potential targets and have them execute malicious code from a fake repository as part of an assessment. Some of these efforts used weaponized Node.js projects hosted on GitHub to deploy a JavaScript backdoor known as DEV#POPPER RAT and an information stealer known as OmniStealer.
North Korean IT worker fraud, on the other hand, refers to a coordinated effort by North Korean operatives to obtain remote freelance and full-time jobs at Western companies using stolen identities, AI-generated personas, and forged credentials. Once hired, they generate a steady stream of revenue and use their access to deploy malware and siphon sensitive information. In some cases, stolen data can be used to extort money from companies.
The state-backed program places thousands of technically skilled workers in countries such as China and Russia, who connect to company-issued laptops hosted on laptop farms in the United States and elsewhere. The plan also relies on a network of promoters to pick up work laptops, manage payroll and handle logistics. These facilitators are hired through shell companies.
The process begins with a recruiter identifying and screening potential candidates. Once accepted, IT workers enter the onboarding phase, where a facilitator assigns them an identity and profile and guides them through updating their resume, preparing for an interview, and making their first job application. Threat actors also work with collaborators to meet full-time employment requirements with strict identity verification policies.
As Chainalysis pointed out, cryptocurrencies play a central role in funneling a large portion of the wages generated by these IT worker programs into North Korea, while circumventing international sanctions.
“The cycle is constant and never-ending, and North Korean IT workers understand that sooner or later they will either quit their roles or be fired,” Flair and IBM X-Force said in a report last month. “As a result, they are constantly moving between jobs, identities, and accounts, never staying in one position or using a single persona for long periods of time.”
New evidence unearthed by Flair has since revealed efforts in an aggressive recruiting campaign from Iran, Syria, Lebanon, and Saudi Arabia, with at least two Iranians receiving formal offer letters from U.S. employers. There are more than 10 cases in which Iranian nationals have been recruited by the regime.
The facilitators were also found to have used LinkedIn to hire other people from Iran, Ireland and India, who were then coached to land jobs. These individuals, known as callers or interviewers, conduct telephone conversations with American recruiters, pass technical interviews, and impersonate real or fake Western nationals hand-picked by them. If the caller fails the interview, the facilitator will review the recording and provide feedback.
“North Korea is deliberately targeting U.S. defense contractors, cryptocurrency exchanges, and financial institutions,” Flair said. “Although the primary motive appears to be financial, the deliberate targeting evident in the documents indicates that other motives may also exist.”
“North Korea is not just sending its own nationals under false identities; it has built a multinational recruitment pipeline, drawing skilled developers from Iran, Syria, Lebanon, and Saudi Arabia into infrastructure designed to infiltrate U.S. defense contractors, crypto exchanges, financial institutions, and companies of all sizes. The recruits are real software engineers, paid in crypto, coached through interviews, and embedded in fabricated Western personas.”
Source link
